Dear Olaf Thank you so much for your reply.
*problem: You're trying to deliver the HSTS header for some, but not allof the requests coming in(?) (Otherwise, please correct) * - > No. I want to respond HSTS header in all request but after I follow configuration below it not response HSTS header on some request such as http://192.168.1.1/%20 or http://192.168.1.1/%3e I think url pattern /* is not apply to request with special characters on path. <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping> Regards. *ปฐวี สรรค์ชลPattavee SANCHOL* * <http://www.thaidigitalid.com> * *Thai Digital ID CO.,LTD. <http://www.thaidigitalid.com>* 319, 25th Floor, Room 10-11, Chamchuri Square Building, Phayathai Road, Phathum Wan, Bangkok Thailand 10330 Tel : +66-029-0290 ext. 3317 E-mail : pattavee....@thaidigitalid.com On Thu, Dec 26, 2019 at 6:11 PM Olaf Kock <tom...@olafkock.de> wrote: > > On 26.12.19 11:22, Pattavee Sanchol wrote: > > Dear support team > > > > I config tomcat server to enabled HSTS some request URI path not > > response with Secure heading > > > > ... > > > > > > I some request URI such as http://192.168.1.1/%20 is not response with > > security hedering > > > > > > this is working > > > > > > image.png > > this not working > > image.png > > > Note: Images are stripped from the list, but I hope that I get the > problem: You're trying to deliver the HSTS header for some, but not all > of the requests coming in(?) (Otherwise, please correct) > > I believe that this is chasing a ghost: It's a lot of work to make it > happen, but doesn't have any meaningful advantage: If *any* request > states that the server *only* wants to see HTTPS traffic, it doesn't > matter if *more* requests also state the same: The server will need to > provide proper answers to any HTTPS connection. You're basically asking > everybody who ever saw the HSTS header during the last 31536000 seconds > (your configuration) to rewrite a http-URL to a https-URL. > > Thus, I'd recommend to just not worry about any specific conditions to > apply for those headers. Just send them - they don't harm, or make any > difference. Or give us some more specific reasons that I might have missed. > > Olaf > > --
